Logstash is not naming indices based on Filebeat tags

a.sailor · December 7, 2018, 3:35pm

Hi all experts!
I have the following configuration:

Beats:

filebeat.inputs:
 -type: log
  enabled: true
  tags: ["apache-error"]
  paths:
 - /var/log/httpd/error_log

 - type: log
   enabled: true
   tags: ["apache-access"]
   paths:
   - /var/log/httpd/access_log

... and logstash:

 if "apache-error" in [tags] {
            elasticsearch {
                    hosts => ["ES1"]
                    index => "apache-error-%{+YYYY.MM.dd}"
            }
 }

if "apache-access" in [tags] {
            elasticsearch {
                    hosts => ["ES2"]
                    index => "apache-access-%{+YYYY.MM.dd}"
            }
  }

However, indices are shown in ES like this:

filebeat-6.5.1-2018.12.07

Where am i messing up ?
Thanks in advance!

shaunak · December 11, 2018, 1:48am

In your logstash output section, could you temporarily add this section so we can inspect the events being generated?

output {
   # ... existing plugins/if statements

  stdout {
    codec => rubydebug
  }
}

Then restart your Logstash node and look at the event objects being printed out to stdout. That might give you some clue as to why things aren't working as expected. If you can't figure it out, feel free to post a few events from stdout here (with any sensitive information redacted).

system · January 8, 2019, 1:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash not writing to ElasticSearch Logstash	2	919	January 30, 2019
Filebeat V7.4.1 output.elasticsearch not writing to defined index "logstash" Beats filebeat	6	618	November 26, 2019
From logstash-forwarder to filebeat, how can use tags? Beats filebeat	2	1552	July 5, 2016
Not parsing apache access and error logs Logstash	3	1596	February 26, 2021
Filebeat to send logs to Logstash and ES Elasticsearch	7	1491	October 22, 2019

Logstash is not naming indices based on Filebeat tags

Related Topics